multi/many core in avionics systems - irit · pdf filemulti/many core in avionics systems 4th...

Multi/many core in Avionics Systems 4th TORRENTS Workshop December, 13th 2013

Presented by Jean-Claude LAPERCHE - AIRBUS

© AIRBUS Operations S.A.S. All rights reserved. Confidential and proprietary document.

December, 13th 2013 4rd Torrents Workshop - Multi/Many core in Avionics Systems - V1.0

Agenda

• Introduction

• Processors Evolution/Market • Aircraft needs

• Multi/Many-core Drawbacks & Possible ways

• Other challenges for multi-core in avionics system

• Conclusion


Introduction

• Improvement of Aircraft (A/C) Safety over last 50 years,

• Many factors : Training, Regulation rules, ... New A/C, New functions (Fly-by-wire, ...),

• Safety Improvement is the result of the COTS use and above all

COTS µPs allowing more and more A/C functions.

December, 13th 2013

010203040506070

1959 2010

Annual Accident Rate (per millions departures)

4rd Torrents Workshop - Multi/Many core in Avionics Systems - V1.0


Processors Evolution

� From 1970 to 200x : Mono-core architecture Ò Processing power by Ò frequency, Ò Cache but thermal dissipation limit.

• In 2005, Intel stops the “Ghz” race for the new "performance per watt" race. Objective: consumption ÷ 10 by using

Î Electronic integration Î Multi-Core Processor (MCP) architecture


INTEL Roadmap


Processors Market

• All µP/FPGA Manufacturers offer Multi-core µprocessor products ÎConsumer Market and Telecom, Automotive, Medical markets ÎLow power consumption multicore boosted by Tablet, Smartphone, movable device

(medical, military..)




Processors Market

Avionics does not lead the processors market

Other targeted markets do not have the same constraints

COTS’ internal architectures are in constant evolution o Towards “Systems-On-Chip” o Increase of power computing Ö multi-core Ö many-core

Only few multi-core COTS are eligible for avionics


Aircraft trends

• New functions for navigation optimization, Synthetic visualization, Data transmission,

• Increased software size, • High Speed Communication Buses(1Ghz Network Î 10000 A429 (100Kb/s))

• Security Data management , • Integration: incorporate more and more functions in one computer

(less weight, volume, watts, .), • Obsolescence management, •


ÎMulti/Many-cores could : � Be an answer for these needs, � Help Aircraft Manufacturer to continue improving Safety


Multi/Many-core Drawbacks & Possible ways


External

Memory

External Memory

Core 1 Cache L1/L2

Core 2 Cache L1/L2

Core n Cache L1/L2

. . .

Interconnect

Memory Controller 1

Memory Controller 2

I/O 1 I/O n . . .

Cache L3 Cache L3

WCET: Worst case Execution Time

Î Shared Cache (L3), Î Memory controllers: accesses slowed down if simultaneous requests from ��FRUHV� Î I/O controllers.

Timing variability

Î Limit functional usage domain (same as mono-core µP) of the Multicore SoC to decrease demonstration efforts,

Î Find an adequate execution model to meet our predictability requirements, Î Determine how to support robust partitioning (temporal, space, I/Os).

Possible ways


Self-reconfiguration:

- Frequency self modification in case of overheat,

- ARM Big/Little Architecture: Self selection of the appropriate Core with no indication to the software

Possible ways:

- to deactivate these functions if possible,

- To use these functions under software management (with a complete behavior change)

November 013 Multi-core processor for Avionics - Draft3





SEU: Single Event Upset MBU: Multiple Bit Upset

Software Integration: Lack of observability & Verification Means,

Possible ways:

Î Simulation, Instrumentation/monitoring, internal debug features,

SEU/MBU (cosmic radiation) management

Î If SEU rate should be stable, the ratio SEU/MBU ratio could increase.

Î Analysis more complex, SEU/MBU effect on common features ?

Possible Ways:

Î Duplication/Triplication of application to detect/correct impact of SEU/MBU

• Impact on processing power, time variability, etc

• Easier with many-cores than with multi-cores ?




Reliability & Life Time: • Multi/Many-core first components “using” electronic integration.

• Impact on: Î Infant mortality phase: Ü failures during Final Assembly Line Î Reliability: Þ MTBF ; Î Wear Out Phase: Ü DMC(DirectMaintenanceCost), Prediction models ?

Time

Failure rate

Infant Mortality Phase

Random Failure Phase Wear out Phase

Avionics system need

Reliability

Life time

Delivery

Possible ways Î System Architecture (Redundancy/ Backup ) Î Possibility to increase Reliability/Life time with a specific use : - cores switch off/on, cyclic use, lower voltage, lower frequency ? Î New screening method to improve “Infant Mortality Phase”




Safety demonstration:

• Quantitative analysis: Today based on constant failure rates. Tomorrow need to take into account wear-out phase (mean failure rate, Weibull law, ) ?

• Multi/many-core not developed according to aeronautical standards (as usual for COTS component),

Î Safety analysis depends on “erroneous behaviour” detection coverage

Possible ways

Î Set up mitigation means to limit the Multi/Many-Core COTS undesired effects impacts (Architecture mitigation):

Î At equipment level,

Î At function/system level.


Mitigation means at equipment level:

Î Example of monitoring on mono-core SOC: Not linked with A/C function

Equipment Mono-Core µp

Inputs /

Outputs

Complex

Peripheral

Zone

CPU Core (DO178 Zone)

DO254 or DO178 µp

Zone (z Clock, Power Supply)

• Validation of ALL exchanged Data (CRC ) • Global behaviors monitoring (watchdog, )



DO178: Software considerations in airborne systems and equipment certification DO254: Design Assurance Guidance for Airborne Electronic hardware



Mitigation means at equipment level:

Î For Multi-core : same principle with cross-check between cores and 1 final check by an external proven component.


External

Memory

External Memory

Core 1 Cache L1/L2

Core 2 Cache L1/L2

Core n Cache L1/L2

. . .

Interconnect

Memory Controller 1

Memory Controller 2

I/O 1 I/O n . . .

Cache L3 Cache L3

DO254 or DO178 µp Zone

(z Clock, Power Supply)


Mitigation means at Function - AC Level:

Î Example of monitoring on mono-core SOC COTS

²



Complex Peripheral Zone CPU zone

Computer 1

F

Servo-Control

Computer 2

MF

F: Function MF: Monitoring Function


Mitigation means at Function - AC Level:

Î Example of monitoring on mono-core SOC COTS



Complex Peripheral Zone CPU zone

Computer 1

F

Servo-Control

Computer 2

MF

F1 : Monitoring of COTS behavior => data known, same spatial and timing that functional data linked with safety objectives.

F1

Check F1

Î Monitoring could be adapted to Multi-core/manycore


Fault Tolerance concept – [For safety critical system (as FlightByWire)]

• Multi/many cores could integrate more and more A/C functions � Total Component failure: Ò simultaneous system reconfigurations ! � Partial component failure (1 or more cores) or fault due to SEU :

• reconfiguration to another core, • should be done without impact at computer/aircraft level

• Because, in case of failure, System Designer has to master

� Computers/A/C functions reconfiguration, � impact on hydraulic or electric networks, � A/C zonal analysis, � Crew alerting.

Î Internal reconfiguration of Multi/Many-core could be set up only to reach

reliability/safety objectives at component/equipment level.


With no or limited impact on aircraft flight

Other challenges for multi/many-core in avionics


System Architecture o Multi-core COTS could have significant impact on system architecture:

� To be adapted to multi-core: � WCET demonstration, parallel programming ,

� Due to Architecture Mitigation

� Dissimilarity ? New Monitoring ? Fault tolerant architecture

Certification aspects:

o Mainly derived from technical aspects and ways to use the COTS (confidence in COTS is based on experience) o Airworthiness authorities could request more justifications




Industrial aspect:

o Faultless support of component manufacturer (access to design data) o To design « long lasting » solutions by limiting adherence to internal COTS

architectures o To Maintain competence during 30-50years o Avoid only one multi/many-core manufacturer for avionics,




Conclusion

• Multi/many-Core Processor :

ÎNormal evolution for avionics systems,

Î Complexity will continue to increase, Î Complex/long studies to develop skills/solution/certification justifications,

Î Potential impact on system architecture,

Î Multi/Many-cores could : � propose opportunity for new A/C functions, � Help Aircraft Manufacturer to continue improving Safety.



© AIRBUS S.A.S. All rights reserved. Confidential and proprietary document. This document and all information contained herein is the sole property of AIRBUS S.A.S. No intellectual property rights are granted by the delivery of this document or the disclosure of its content. This document shall not be reproduced or disclosed to a third party without the express written consent of AIRBUS S.A.S. This document and its content shall not be used for any purpose other than that for which it is supplied. The statements made herein do not constitute an offer. They are based on the mentioned assumptions and are expressed in good faith. Where the supporting grounds for these statements are not shown, AIRBUS S.A.S. will be pleased to explain the basis thereof. AIRBUS, its logo, A300, A310, A318, A319, A320, A321, A330, A340, A350, A380, A400M are registered trademarks.

Thank You


multi/many core in avionics systems - irit · pdf filemulti/many core in avionics systems 4th...

Documents